An anonymous reader writes: The Ruby programming language is impacted by a similar "deserialization issue" that has affected and wreaked havoc in the Java ecosystem in 2016; an issue that later also proved to be a problem for .NET and PHP applications as well. Researchers published proof-of-concept code this week showing how to exploit serialization/deserialization operations supported by the built-in features of the Ruby programming language itself.

"Versions 2.0 to 2.5 are affected," researchers said. "There is a lot of opportunity for future work including having the technique cover Ruby versions 1.8 and 1.9 as well as covering instances where the Ruby process is invoked with the command line argument --disable-all," the elttam team added. "Alternate Ruby implementations such as JRuby and Rubinius could also be investigated."

The deserialization issues can be used for remote code execution and taking over vulnerable servers. While .NET and PHP were affected, it was Java until now that has faced the biggest issues with deserialization, earlier this year, Oracle announcing it was dropping deserialization support from the Java language's standard package.

You can have a disaster-free Election Day in the social media age, writes New York Times columnist Kevin Roose, "but it turns out that it takes constant vigilance from law enforcement agencies, academic researchers and digital security experts for months on end." It takes an ad hoc "war room" at Facebook headquarters with dozens of staff members working round-the-clock shifts. It takes hordes of journalists and fact checkers willing to police the service for false news stories and hoaxes so that they can be contained before spreading to millions. And even if you avoid major problems from bad actors domestically, you might still need to disclose, as Facebook did late Tuesday night, that you kicked off yet another group of what appeared to be Kremlin-linked trolls...

Most days, digging up large-scale misinformation on Facebook was as easy as finding baby photos or birthday greetings... Facebook was generally responsive to these problems after they were publicly called out. But its scale means that even people who work there are often in the dark... Other days, combing through Facebook falsehoods has felt like watching a nation poison itself in slow motion. A recent study by the Oxford Internet Institute, a department at the University of Oxford, found that 25 percent of all election-related content shared on Facebook and Twitter during the midterm election season could be classified as "junk news"...

Facebook has framed its struggle as an "arms race" between itself and the bad actors trying to exploit its services. But that mischaracterizes the nature of the problem. This is not two sovereign countries locked in battle, or an intelligence agency trying to stop a nefarious foreign plot. This is a rich and successful corporation that built a giant machine to convert attention into advertising revenue, made billions of dollars by letting that machine run with limited oversight, and is now frantically trying to clean up the mess that has resulted... It's worth asking, over the long term, why a single American company is in the position of protecting free and fair elections all over the world.
Despite whatever progress has been made, the article complains that "It took sustained pressure from lawmakers, regulators, researchers, journalists, employees, investors and users to force the company to pay more attention to misinformation and threats of election interference. Facebook has shown, time and again, that it behaves responsibly only when placed under a well-lit microscope.

"So as our collective attention fades from the midterms, it seems certain that outsiders will need to continue to hold the company accountable, and push it to do more to safeguard its users -- in every country, during every election season -- from a flood of lies and manipulation."

AmiMoJo writes: Apple's new-generation Macs come with a new so-called Apple T2 security chip that's supposed to provide a secure enclave co-processor responsible for powering a series of security features, including Touch ID. At the same time, this security chip enables the secure boot feature on Apple's computers, and by the looks of things, it's also responsible for a series of new restrictions that Linux users aren't going to like.

The issue seems to be that Apple has included security certificates for its own and Microsoft's operating systems (to allow running Windows via Bootcamp), but not for the certificate that was provided for systems such as Linux. Disabling Secure Boot can overcome this, but also disables access to the machine's internal storage, making installation of Linux impossible.

An anonymous reader quotes a report from TechCrunch: Georgia's secretary of state and candidate for state governor in the midterm election, Brian Kemp, has taken the unusual, if not unprecedented step of posting the personal details of 291,164 absentee voters online for anyone to download. Kemp's office posted an Excel file on its website within hours of the results of the general election, exposing the names and addresses of state residents who mailed in an absentee ballot -- including their reason why, such as if a person is "disabled" or "elderly."

The file, according to the web page, allows Georgia residents to "check the status of your mail-in absentee ballot." Millions of Americans across the country mail in their completed ballots ahead of election day, particularly if getting to a polling place is difficult -- such as if a person is disabled, elderly or traveling. When reached, Georgia secretary of state's press secretary Candice Broce told TechCrunch that all of the data "is clearly designated as public information under state law," and denied that the data was "confidential or sensitive." "State law requires the public availability of voter lists, including names and address of registered voters," she said in an email. "While the data may already be public, it is not publicly available in aggregate like this," said security expert Jake Williams, founder of Rendition Infosec, who lives in Georgia. Williams took issue with the reasons that the state gave for each absentee ballot, saying it "could be used by criminals to target currently unoccupied properties." "Releasing this data in aggregate could be seen as suppressing future absentee voters in Georgia who do not want their information released in this manner," he said.

An anonymous reader quotes a report from Ars Technica: Police in the Netherlands said they decrypted more than 258,000 messages sent using IronChat, an app billed as providing end-to-end encryption that was endorsed by National Security Agency leaker Edward Snowden. In a statement published Tuesday, Dutch police said officers achieved a "breakthrough in the interception and decryption of encrypted communication" in an investigation into money laundering. The encrypted messages, according to the statement, were sent by IronChat, an app that runs on a device that cost thousands of dollars and could send only text messages.

"Criminals thought they could safely communicate with so-called crypto phones which used the application IronChat," Tuesday's statement said. "Police experts in the east of the Netherlands have succeeded in gaining access to this communication. As a result, the police have been able to watch live the communication between criminals for some time." Blackbox-security.com, the site selling IronChat and IronPhone, quoted Snowden as saying: "I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation," according to Web archives. Whether the endorsement was authentic or not wasn't immediately known. The site has been seized by Dutch police.

Californians warmed to the idea of year-round daylight-saving time, approving an initiative that would urge state lawmakers to junk the annual springing forward and falling back. From a report: With 43 percent of precincts reporting Tuesday night, Proposition 7 was leading 61 percent to 39 percent. It's a long way from here to year-round daylight-saving time. First, the Legislature would have to approve it by a two-thirds vote. Then Congress would have to allow California to deviate from standard time when most of the rest of the nation shifts to it.

An anonymous reader quotes Krebs on Security: A year after offering free credit monitoring to all Americans on account of its massive data breach that exposed the personal information of nearly 148 million people, Equifax now says it has chosen to extend the offer by turning to a credit monitoring service offered by a top competitor -- Experian. And to do that, it will soon be sharing with Experian contact information that affected consumers gave to Equifax in order to sign up for the service... Equifax says it will share the name, address, date of birth, Social Security number and self-provided phone number and email address with Experian for anyone who signed up for its original TrustedID Premier offering. That is, unless those folks affirmatively opt-out of having that information transferred from Equifax to Experian. But not to worry, Equifax says: Experian already has most of this data. "Experian currently has and is using this information (except phone number and email address) in the fulfillment of the Experian file monitoring which is part of your current service with TrustedID Premier," Equifax wrote in its email.
Krebs also points out the big problem with all credit monitoring services: "while they might let you know when someone has stolen your identity, they're not likely to prevent that from occurring in the first place." The best mechanism for preventing identity thieves from creating and abusing new accounts in your name is to freeze your credit file with Experian, Equifax and TransUnion. This process is now free for all Americans, and simply blocks potential creditors from viewing your credit file. Since very few creditors are willing to grant new lines of credit without being able to determine how risky it is to do so, freezing your credit file with the Big Three is a great way to stop all sorts of ID theft shenanigans... All three big bureaus tout their credit lock services as an easier and faster alternative to freezes -- mainly because these alternatives aren't as disruptive to their bottom lines....

TransUnion and Equifax both offer free credit lock services, while Experian's is free for 30 days and $19.99 for each additional month. However, TransUnion says those who take advantage of their free lock service agree to receive targeted marketing offers. What's more, TransUnion also pushes consumers who sign up for its free lock service to subscribe to its "premium" lock services for a monthly fee with a perpetual auto-renewal. Unsurprisingly, the bureaus' use of the term credit lock has confused many consumers; this was almost certainly by design. But here's one basic fact consumers should keep in mind about these lock services: Unlike freezes, locks are not governed by any law, meaning that the credit bureaus can change the terms of these arrangements when and if it suits them to do so.

Linus Torvalds "has shown already for the new Linux 4.20~5.0 cycle he isn't relaxing his standards but is communicating better when it comes to bringing up coding," reports Phoronix, adding "So far it looks like Linus' brief retreat is paying off with still addressing code quality issues -- and not blatantly accepting new code into the kernel as some feared -- but in doing so in a professional manner compared to his past manner of exclaiming himself over capitalized sentences and profanity that at time put him at odds with some in the Linux kernel community."

AmiMoJo quotes their report: Last Saturday he took issue with the HID pull request and its introduction of the BigBen game controller driver that was introduced: the developer enabled this new driver by default. Linus Torvalds has always frowned upon random new drivers being enabled by default in the kernel configuration driver. [H]e still voiced his opinion over this driver's default "Y" build configuration, but did so in a more professional manner than he has done in the past:

We do *not* enable new random drivers by default. And we most *definitely* don't do it when they are odd-ball ones that most people have never heard of.

Yet the new "BigBen Interactive" driver that was added this merge window did exactly that.

Just don't do it.

Yes, yes, every developer always thinks that _their_ driver is so special and so magically important that it should be enabled by default. But no. When we have thousands of drivers, we don't randomly pick one new driver to be enabled by default just because some developer thinks it is special. It's not.... Please don't do things like this.
Phoronix also describes another "kernel oops" testing Torvalds' patience, in which Linus responded tactfully that "What makes me *very* unhappy about this is that if I'm right, I think it means that code was literally not tested at all by anybody who didn't have one of the entries in that list."

An anonymous reader quotes a report from Phys.Org: We learn it at high school: Release two objects of different masses in the absence of friction forces and they fall down at the same rate in Earth's gravity. What we haven't learned, because it hasn't been directly measured in experiments, is whether antimatter falls down at the same rate as ordinary matter or if it might behave differently. Two new experiments at CERN, ALPHA-g and GBAR, have now started their journey towards answering this question.

After months of round-the-clock work by researchers and engineers to put together the experiments, ALPHA-g and GBAR have received the first beams of antiprotons, marking the beginning of both experiments. ALPHA-g began taking beam on October 30, after receiving the necessary safety approvals. ELENA sent its first beam to GBAR on July 20, and since then the decelerator and GBAR researchers have been trying to perfect the delivery of the beam. The ALPHA-g and GBAR teams are now racing to commission their experiments before CERN's accelerators shut down in a few weeks for a two-year period of maintenance work.

The world's oceans have been soaking up far more excess heat in recent decades than scientists realized, suggesting that Earth could be set to warm even faster than predicted in the years ahead, according to new research published Wednesday. From a report: Over the past quarter-century, the Earth's oceans have retained 60 percent more heat each year than scientists previously had thought, said Laure Resplandy, a geoscientist at Princeton University who led the startling study published Wednesday in the journal Nature. The difference represents an enormous amount of additional energy, originating from the sun and trapped by the Earth's atmosphere -- more than 8 times the world's energy consumption, year after year.

In the scientific realm, the new findings help to resolve long-running doubts about the rate of the warming of the oceans before 2007, when reliable measurements from devices called "Argo floats" were put to use worldwide. Before that, different types of temperature records -- and an overall lack of them -- contributed to murkiness about how quickly the oceans were heating up. The higher-than-expected amount of heat in the oceans means more heat is being retained within the Earth's climate system each year, rather than escaping into space. In essence, more heat in the oceans signals that global warming itself is more advanced than scientists thought.

"We thought that we got away with not a lot of warming in both the ocean and the atmosphere for the amount of CO2 that we emitted," said Resplandy, who published the work with experts from the Scripps Institution of Oceanography and several other institutions in the U.S., China, France and Germany. "But we were wrong. The planet warmed more than we thought. It was hidden from us just because we didn't sample it right. But it was there. It was in the ocean already." Wednesday's study also could have important policy implications. If ocean temperatures are rising more rapidly than previously calculated, that could leave nations even less time to dramatically cut the world's emissions of carbon dioxide, in hopes of limiting global warming to the ambitious goal of 1.5 degrees Celsius (2.7 degrees Fahrenheit) above preindustrial levels. Updated on November 14 at 14:40 GMT: Scientists Acknowledge Key Errors in Study of How Fast the Oceans Are Warming.

ewhac writes: NASA today announced that it is retiring the Kepler telescope after nearly ten years of service -- double its initial mission life. In that time, Kepler discovered over 2,600 exoplanets, most of which are between the size of Earth and Neptune, sparking an entirely new field of astronomical research, and revealing for the first time just how common exo-planetary systems are. With its fuel supply exhausted, Kepler is no longer able to maneuver or reorient itself to make observations. NASA has elected to decommission the spacecraft and leave it in its current, safe orbit away from Earth.

At a time when several companies have grown new interest in open sourcing part of their offerings, Samsung appears to be going the other way. The company has shut down the Samsung Open-Source Group (Samsung OSG), according to a report. Phoronix, which reported the development, offers some background: Samsung's Open-Source Group had been structured within Samsung Research America. Samsung OSG was formed back in 2012 and has employed dozens of developers over the past number of years. Samsung OSG was akin to Intel OTC (Open-Source Technology Center) albeit with not nearly as many developers nor as many original open-source projects brought up by the Intel software crew. The Samsung OSG stated purpose has been to "enhance key open source projects through upstream contributions and active involvement with open source foundations." Samsung OSG has contributed very heavily to the development of Wayland as well as some X.Org components, Cairo, Enlightenment EFL, the LLVM Clang compiler, GStreamer, FFmpeg, the Linux kernel, and other related code-bases that helped benefit Samsung's open-source/Linux needs across their wide portfolio of products from smart watches to refrigerators.

With the in-development Linux 4.20 kernel, it is now effectively VLA-free. From a report: The variable-length arrays (VLAs) that can be convenient and part of the C99 standard but can have unintended consequences. VLAs allow for array lengths to be determined at run-time rather than compile time. The Linux kernel has long relied upon VLAs in different parts of the kernel -- including within structures -- but going on for months now (and years if counting the kernel Clang'ing efforts) has been to remove the usage of variable-length arrays within the kernel. The problems with them are:
1. Using variable-length arrays can add some minor run-time overhead to the code due to needing to determine the size of the array at run-time.
2. VLAs within structures is not supported by the LLVM Clang compiler and thus an issue for those wanting to build the kernel outside of GCC, Clang only supports the C99-style VLAs.
3. Arguably most importantly is there can be security implications from VLAs around the kernel's stack usage.

An anonymous reader quotes a report from EurekAlert: Air pollution in the U.S. has decreased since about 1990, and a new study conducted at the University of North Carolina at Chapel Hill now shows that this air quality improvement has brought substantial public health benefits. The study, published in the journal Atmospheric Chemistry and Physics, found that deaths related to air pollution were nearly halved between 1990 and 2010. The team's analyses showed that deaths related to air pollution exposure in the U.S. decreased by about 47 percent, dropping from about 135,000 deaths in 1990 to 71,000 in 2010.

These improvements in air quality and public health in the U.S. coincided with increased federal air quality regulations, and have taken place despite increases in population, energy and electricity use, and vehicle miles traveled between 1990 and 2010. [...] Still, despite clear improvements, air pollution remains an important public health issue in the U.S. The estimated 71,000 deaths in 2010 translates to 1 of every 35 deaths in the U.S. -- that's as many deaths as we see from all traffic accidents and all gun shootings combined.

TechCrunch reports: A major new campaign of disinformation around Brexit, designed to stir up U.K. 'Leave' voters, and distributed via Facebook, may have reached over 10 million people in the U.K., according to new research. The source of the campaign is so far unknown, and will be embarrassing to Facebook, which only this week claimed it was clamping down on "dark" political advertising on its platform. Researchers for the U.K.-based digital agency 89up allege that Mainstream Network -- which looks and reads like a "mainstream" news site but which has no contact details or reporter bylines -- is serving hyper-targeted Facebook advertisements aimed at exhorting people in Leave-voting U.K. constituencies to tell their MP to "chuck Chequers." Chequers is the name given to the U.K. Prime Ministers's proposed deal with the EU regarding the U.K.'s departure from the EU next year.
ABC News reports: When the Justice Department unsealed criminal charges detailing a yearslong effort by a Russian troll farm to "sow division and discord in the U.S. political system," it was the first federal case alleging continued foreign interference in U.S. elections. Earlier Friday, American intelligence officials released a rare public statement asserting that Russia, China, Iran and other countries are engaged in ongoing efforts to influence U.S. policy and voters in future elections. The statement didn't provide details on those efforts. That stood in contrast with the criminal charges, which provided a detailed narrative of Russian activities...

The criminal complaint provided a clear picture that there is still a hidden but powerful Russian social media effort aimed at spreading distrust for American political candidates and causing divisions on social issues such as immigration and gun control.... Court papers describe how the operatives in Friday's case would analyze U.S. news articles and decide how they would draft social media messages about those stories. They also show that Russian trolls have stepped up their efforts with a better understanding the U.S. political climate and messages that are no longer riddled with misspellings.
CNN notes that one week before America's 2016 presidential election, "one of the Kremlin-backed accounts denied that Russian meddling, saying: 'Russia's Putin says Moscow not trying to influence U.S. election.'"

America's Multi-State Information Sharing & Analysis Center is operated in collaboration with its Department of Homeland Security's Office of Cybersecurity and Communications -- and they've got some bad news. MS-ISAC released an advisory warning government agencies, businesses, and home users of multiple high-risk security issues in PHP that can allow attackers to execute arbitrary code. Furthermore, if the PHP vulnerabilities are not successfully exploited, attackers could still induce a denial-of-service condition rendering the probed servers unusable... The PHP Group has issued fixes in the PHP 7.1.23 and 7.2.11 releases for all the high-risk bugs that could lead to DoS and arbitrary code execution in all vulnerable PHP 7.1 and 7.2 versions before these latest updates.
But meanwhile, Threatpost reported this week that 62% of the world's web sites are still running PHP version 5 -- even though its end of life is December 31st. "The deadlines will not be extended, and it is critical that PHP-based websites are upgraded to ensure that security support is provided," warned a recent CERT notice.

So far Drupal is the only CMS posting an official notice requiring upgrades to PHP 7 (by March, three months after the PHP 5.6's end of life deadline). Threatpost notes that "There has been no such notice from WordPress or Joomla."

Long-time Slashdot reader Freshly Exhumed writes: Researchers at the University of Dayton Research Institute [Impact Physics Lab] have shown in a video what can happen when a high-mass, consumer-level drone strikes the wing of an aircraft. They provide visual evidence of the damage a 2.1-pound DJI Phantom 2 videography quadcopter would have upon the wing of a Mooney M20, a small, private aircraft. It is not difficult to extrapolate the effects upon an airliner in a similar situation. "We wanted to help the aviation community and the drone industry understand the dangers that even recreational drones can pose to manned aircraft before a significant event occurs," said Kevin Poormon of UDRI.
The video -- titled "Risk in the Sky?" -- simulates a collision at 238 mph in which the drone tears open the wing's leading edge.

"While the quadcopter broke apart, its energy and mass hung together to create significant damage to the wing," said Kevin Poormon, group leader for impact physics at UDRI.

Slashdot reader generic shares a report from ZDNet: For at least three years, hackers have abused a zero-day in one of the most popular jQuery plugins to plant web shells and take over vulnerable web servers, ZDNet has learned. The vulnerability impacts the jQuery File Upload plugin authored by prodigious German developer Sebastian Tschan, most commonly known as Blueimp. The plugin is the second most starred jQuery project on GitHub, after the jQuery framework itself. It is immensely popular, has been forked over 7,800 times, and has been integrated into hundreds, if not thousands, of other projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, Joomla components, and so on.

Earlier this year, Larry Cashdollar, a security researcher for Akamai's SIRT (Security Intelligence Response Team), has discovered a vulnerability in the plugin's source code that handles file uploads to PHP servers. Cashdollar says that attackers can abuse this vulnerability to upload malicious files on servers, such as backdoors and web shells. The Akamai researcher says the vulnerability has been exploited in the wild. "I've seen stuff as far back as 2016," the researcher told ZDNet in an interview. The vulnerability was one of the worst kept secrets of the hacker scene and appears to have been actively exploited, even before 2016. Cashdollar found several YouTube videos containing tutorials on how one could exploit the jQuery File Upload plugin vulnerability to take over servers. One of three YouTube videos Cashdollar shared with ZDNet is dated August 2015. Thankfully, the CVE-2018-9206 identifier was pushed earlier this month to address this issue. "All jQuery File Upload versions before 9.22.1 are vulnerable," reports ZDNet. "Since the vulnerability affected the code for handling file uploads for PHP apps, other server-side implementations should be considered safe."

Security researchers have found flaws in four popular connected storage drives that they say could let hackers access a user's private and sensitive data. From a report: The researchers Paulos Yibelo and Daniel Eshetu said the software running on three of the devices they tested -- NetGear Stora, Seagate Home and Medion LifeCloud -- can allow an attacker to remotely read, change and delete data without requiring a password. Yibelo, who shared the research with TechCrunch this week and posted the findings Friday, said that many other devices may be at risk.

The software, Hipserv, built by tech company Axentra, was largely to blame for three of the four flaws they found. Hipserv is Linux-based, and uses several web technologies -- including PHP -- to power the web interface. But the researchers found that bugs could let them read files on the drive without any authentication. It also meant they could run any command they wanted as "root" -- the built-in user account with the highest level of access -- making the data on the device vulnerable to prying eyes or destruction.

An anonymous reader quotes a report from The Washington Post: Insects around the world are in a crisis, according to a small but growing number of long-term studies showing dramatic declines in invertebrate populations. A new report suggests that the problem is more widespread than scientists realized. Huge numbers of bugs have been lost in a pristine national forest in Puerto Rico (Warning: source may be paywalled; alternative source), the study found, and the forest's insect-eating animals have gone missing, too. The latest report, published Monday in the Proceedings of the National Academy of Sciences, shows that this startling loss of insect abundance extends to the Americas. The study's authors implicate climate change in the loss of tropical invertebrates.

Bradford Lister, a biologist at Rensselaer Polytechnic Institute in New York, has been studying rain forest insects in Puerto Rico since the 1970s. "We went down in '76, '77 expressly to measure the resources: the insects and the insectivores in the rain forest, the birds, the frogs, the lizards," Lister said. He came back nearly 40 years later, with his colleague Andrés García, an ecologist at the National Autonomous University of Mexico. What the scientists did not see on their return troubled them. "Boy, it was immediately obvious when we went into that forest," Lister said. Fewer birds flitted overhead. The butterflies, once abundant, had all but vanished. García and Lister once again measured the forest's insects and other invertebrates, a group called arthropods that includes spiders and centipedes. The researchers trapped arthropods on the ground in plates covered in a sticky glue, and raised several more plates about three feet into the canopy. The researchers also swept nets over the brush hundreds of times, collecting the critters that crawled through the vegetation. Each technique revealed the biomass (the dry weight of all the captured invertebrates) had significantly decreased from 1976 to the present day. The sweep sample biomass decreased to a fourth or an eighth of what it had been. Between January 1977 and January 2013, the catch rate in the sticky ground traps fell 60-fold. The study also found a 30-percent drop in anole lizards, which eat arthropods. Some anole species have disappeared entirely from the interior forest. Another research team captured insect-eating frogs and birds in 1990 and 2005, and found a 50 percent decrease in the number of captures. The authors attribute this decline to the changing climate.